[Bug 6606] generic 3rd-party <mark>, Smart Tags, and Activities prevention

http://www.w3.org/Bugs/Public/show_bug.cgi?id=6606





--- Comment #2 from Nick Levinson <Nick_Levinson@yahoo.com>  2009-02-24 05:11:50 ---
Your blog article is thoughtful. But:

I hope we're not debating whether property rights should exist. You may
certainly interpret my creation but you can't change it and claim that's my
interpretation. The insertion of dotted underlines and double underlines is not
by the site owner. Most people don't know the difference in meaning between
single- and double-underscores or solid and dotted, and they reasonably assume
the website owner inserted both kinds for the same purpose. It's bad enough
that I, as a site owner, must take the affirmative step of blocking them, and
worse that I have to do so on every page and not just once site-wide. It's even
worse if I'm not allowed to block at all. The alternative of no one both owning
and controlling a website is not feasible in today's world. When I see a major
Linux website with a popup ad for SCO Unix, if I didn't know how that happened
I'd be right to question the legitimacy of that entire Linux site and all its
content.

Owners do have a right to control how anyone's user agent presents the owner's
page, to the extent that if the browser is standards-compliant and the site
owner has access to those standards they may design accordingly and, unless the
end user opts to make changes to the browser, the site owner may expect the
presentation to come within a reasonable range of expectations. That's why
Microsoft's permission is needed before an intermediary (other than a foreign
national government) may alter the results the Microsoft MSN search engine
gives users and claim it's what Microsoft supplied. Otherwise, imagine if
someone, say, Microsoft or some child, could use browsers worldwide to alter a
Saudi or Venezuelan national website's presentation to appear to give away all
their oil. Browser owners and sellers have more than a social responsibility of
nondeception; it's a legal duty if they offer faithful presentation but go way
off course. If a browser supplier offers HTML standards compliance, what's
needed is a standard that assures that the viewing experience will, within
reason, conform to the page author's intent. In the U.S., warranties of
merchantibility, fitness for use, and acceptability don't even have to be
stated in product literature because they're embodied in law and they apply
even if a browser's lit doesn't mention HTML per se. Since Windows is sold with
the browser included as an inducement to buy, the same warranties would likely
require something like HTML compliance for Win. When computers are sold with
Win as an inducement to buy, the same principle applies to the computer as a
whole with Win and IE. And if Microsoft or a competitor wants to announce that
they'll no longer support HTML, which they can, without a replacement feature
their business would likely plummet. So, while not ironclad, HTML is part of
the law governing browsers.

Providers like Google and Microsoft are not utilities entitled to monopolize
under U.S. law so as to justify regulating their services more closely. Thus,
if the user-agent link-adding is lawful, they may carry advertisements on these
services and that's not generally anticompetitive. Thus, it makes sense for a
business to block a competitor's ads from appearing as if from the first
business's website. But without information on who is advertising when, they
need to be able to block all such activity.

If I want to read an article in a major magazine, I may get the magazine in
hard copy or find an online site from the magazine's publisher. I may also go
to a third-party provider of magazine articles, such as EbscoHost, ProQuest, or
Nexis. We do not expect them to rewrite the articles (although they may if,
say, an original publisher was sued for libel and saw fit to order changes by
all reproducers, not to mention errors due to optical scanning of text (OCR)).
In general, they don't modify them and that fits our use expectations. That
kind of expectation applies to most Web content as seen in our browsers.

Framing is a technology that presents a similar problem. While one author's
frame around another author's work may be clear as to distinction of content
ownership, it may be not at all clear, and a frame may even have no visual
border at all. U.S. laws such as that against unfair competition and
misrepresentation provide some protection, but the shortage of protection is
why some sites use legal terms to forbid framing, probably not very
successfully. However, the problem count is smaller since, to my knowledge,
framing isn't done by user agents but by single sites. Browsers and toolbars
raise the scale and the need.

On HTML's role in security attacks via the mark tag, you're probably right, but
I'll get a bit technically legal here in support of a small rewording: HTML5's
role in a security breech would come if it grants permission to system
designers, as I saw in this statement: "Another example of the mark element is
highlighting parts of a document that are matching some search string. If
someone looked at a document, and the server knew that the user was searching
for the word 'kitten', then the server might return the document with one
paragraph modified as follows: . . . . <mark>kitten</mark> . . . ." Section
4.6.7. That looks like permission for the server to interject markup into a
byte stream. Given that many people in large organizations view outside
websites in a way that involves at least two servers per visit, one hosting and
others not, the section seems to be permission for any nonhost server to sell
advertising or comment on content as if it's the author's commentary. Thus, the
security breech would be furthered by HTML as permission. However, as I didn't
find any reference in the document to any server that wasn't acting on a served
document somehow as authorized, e.g., by checking a certificate, if you're
right that the intent was not as I feared, then we should propose rewording the
HTML standard before finalization so only the site owner's server might mark
the string if nonowners are to be conformant.

I'm not an attorney and laws vary by nation and circumstance, but if you
believe there's any error in the above please let us know.

That some services come with conditions that are user-approved is legally true
but not with users' knowledge in most cases. People rarely read terms of
service. Intelligent people rarely read them. Lawyers rarely read them. They
rarely read them even when installation cannot proceed until an option to agree
has been clicked on and probably even if scrolling to the end of the terms is
prerequisite. (I wonder if most computer geeks read them.) I read or skim them
but many people consider me weird, strange, eccentric, etc. Who has liability
(quality of notice is a little-discussed legal issue in U.S. law) is one
question. Whether the user has actual knowledge and not just a duty to know is
another question. Because of the huge numbers of users involved and their
reliance on what they find on the Internet, I think we should be on the side of
recognizing that the lack of actual knowledge on the part of most users,
including intelligent users, should lead us to be cautious on how legal rights
of other parties should be handled.

Institutional intermediaries present another problem. A public library offers
computers requiring little more than a library card for access (a library card
in my city requires little more than a piece of mail as proof of residence).
Recently, a major library disabled access to ads appearing on certain sites. I
could still access my email account but ads sent by other servers to the email
inbox were blocked. A staff aide said the library did the blocking. I do recall
a user not knowing that a banner graphic was an ad. (Yahoo seems to have made
distinguishing top-of-page sponsored links from search results more subtle.) In
short, many people use computers under other parties' control and don't know
that content may be changed. They think they're seeing the Internet and
assurance should be provided that they're likely seeing what the page authors
intended unless the user has taken extra steps to diverge, as a disabled user
might when wanting high-contrast layouts. Natural-language translation services
I've seen generally effectively use an opt-in system.

Links being graphically different according to function is inadequate when many
sites make their links graphically different for no reason other than
aesthetics, thus effectively teaching users that links being graphically
different has no meaning, or, more realistically, that it often has no meaning,
when the thing over there is just a link. That occurs not only on leading-edge
designs with few non-specialist visitors but also on major high-traffic
high-visitor-count high-amateur-visitor-count corporate sites. That occurs
despite usability advice to use standard looks for links. It occurs often.

I develop on Win9x partly because I'm a cheapskate (and they're licensed) but
also because anything developed on older versions is likely to work on newer,
unlike the inverse, and I've tested already-uploaded websites at public
terminals with newer Win. Wine is in a cat-and-mouse game with Microsoft and MS
is pretty well able to keep its quarry in a mousehole just by staying ahead on
specs without telling the Wine programmers, who must keep looking at the latest
MS versions and thus can't spend as much time fine-tuning compatibility with
older versions. I wish otherwise. Open source is better quality. MS has the
right to be proprietary and could outperform OSS if MS put its managerial mind
to it, but they're too busy trying, inter alia, to hijack our content, thus the
request for a means to block Activities or whatever they want to call them
next. I noticed that the instruction offered by MS on their website on how to
block Smart Tags was apparently no longer on their website, but only on
third-party websites. While MS has a rational reason for its removal, namely
that it was relevant only to a beta release and they don't support beta
releases after their time has passed, they should have left it up and should
assure similar tools for future technologies will be provided from the
beginning.

I'm perfectly capable of creating an ordinary link from a book title on my own
site to a bookstore's online offer, or from an address to a map. If I don't
serve my visitors very well, I risk losing my visitors. That risk should be
left to me, as the site owner. I do not care for Microsoft's paternalism.

-- 
Nick


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 24 February 2009 05:11:59 UTC